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ff^ ' Abstract 

^. ' One of the central issues in the hidden subgroup problem is to bound the sample complexity, i.e., the 

r — , number of identical samples of coset states sufficient and necessary to solve the problem. In this paper, we 

present general bounds for the sample complexity of the identification and decision versions of the hidden 
■"sj" , subgroup problem. As a consequence of the bounds, we show that the sample complexity for both of the 

^^ • decision and identification versions is ©(log |'K|/ log p) for a candidate set "K of hidden subgroups in the case 

that the candidate subgroups have the same prime order/?, which implies that the decision version is at least 
as hard as the identification version in this case. In particular, it does so for the important instances such as 
the dihedral and the symmetric hidden subgroup problems. Moreover, the upper bound of the identification 
is attained by the pretty good measurement. This shows that the pretty good measurement can identify any 
hidden subgroup of an arbitrary group with at most C>(log 1*7^1) samples. 



O^ 1 Introduction 



1.1 Background 

The hidden subgroup problem is one of the central issues in quantum computation, which was introduced for 
revealing the structure behind exponential speedups in quantum computation |[34l . 

Definition 1.1 (Hidden Subgroup Problem (HSP)) Let G be a finite group. For a hidden subgroup H < G, 
we define a map fn from G to a finite set S with the property that fnig) = fnigh) if and only if h e H. Given 
fu'.G^S and a generator set of G, the hidden subgroup problem (HSP) is the problem of finding a set of 
generators for the hidden subgroup H. We say that HSP over G is efficiently solvable if we can construct an 
algorithm in time polynomial in log |G|. 

The nature of many existing quantum algorithms relies on efficient solutions to Abelian HSPs (i.e., HSPs over 
Abelian groups) [41, 28, 5, 6|. In particular, Shor's cerebrated quantum algorithms for factoring and discrete 
logarithm essentially consist of reductions to certain Abelian HSPs and efficient solutions to the Abelian HSPs 
HOl . Besides his results, many efficient quantum algorithms for important number-theoretic problems (e.g.. 
Pell's equation Iil5il and unit group of a number field llT6ll38l ) were based on solutions to Abelian HSPs. 



Recently, non-Abelian HSPs have also received much attention. It is well known that the graph isomor- 
phism problem can be reduced to the HSP over the symmetric group 151131 (more strictly, the HSP over S„l S2 
||8l). Regev showed that we can construct an efficient quantum algorithm for the unique shortest vector prob- 
lem if we find an efficient solution to HSP over the dihedral group under certain conditions B6I . While the 
efficient quantum algorithm for general Abelian HSPs has been already given |28l[34l, the non-Abelian HSPs 
are extremely harder than the Abelian ones. There actually exist efficient quantum algorithms for HSPs over 
several special classes of non-Abelian groups |l37l[Ill[18l[T2l[T4l|23l|24l[30l|2l. Nonetheless, most of important 
cases of non-Abelian HSPs, including the dihedral and symmetric HSPs, are not known to have efficient solu- 
tions. Thus, finding efficient algorithms for non-Abelian HSPs is one of the most challenging issues in quantum 
computation. 

The main approach to the non-Abelian HSPs is based on a generic framework called the standard method. 
To our best knowledge, all the existing quantum algorithms for HSPs essentially contain this framework. The 
standard method essentially reduces HSPs to the quantum state identification! 39 1 for the so-called coset states, 
which contain information of the hidden subgroup. 

Definition 1.2 (Coset State and Standard Metiiod) Let G be any finite group and H be the hidden subgroup 
of G. We then define the coset state pu for H as pn = i^ 'Lgec \gH){gH\ - Ur 'Egec/H \gH)(gH\, where 
\gH) = ^^I^MHlgh). 

Standard Method with k Coset States 

(1) Prepare two registers with a uniform superposition over G in the first register and all zeros in the second 

register: -^ Y^gec \gM- 

(2) Compute fnig) and store the result to the second register: --== 'EgeG \g)\fH(g))- 

(3) Discard the second register to obtain a coset state: Ph - Ur T,geG/H \gH){gH\. 

(4) Repeat (l)-(3) k times and then apply a quantum measurement to k samples of pn- 

Thus the main task for solving HSP based on the standard method is to find an efficiently implementable 
quantum measurement extracting the information of the hidden subgroup from identical samples of the coset 
state. 

Many researchers have broadly studied hard instances of non-Abelian HSPs from positive and negative 
aspects based on the standard method. In particular, they have focused on the sample complexity of HSPs, 
i.e., how many coset states are sufficient and necessary to identify the hidden subgroup with a constant success 
probability. 

In several classes of the non-Abelian HSPs for which efficient algorithms are unknown, it is shown that we 
can identify any hidden subgroup by (possibly inefficient) classical post-processes using the classical informa- 
tion obtained by the quantum Fourier transforms to polynomially many samples of coset states ll9l [T8l[T4ll30l . 

Bacon, Childs and van Dam demonstrated that the so-called pretty good measurement (PGM, also known as 
the squire root measurement or least squares measurement EOl ) is optimal for identifying coset states in view 
of the sample complexity on a class of semidirect product groups A xiZp including the dihedral group, where A is 
any Abelian group and /? is a prime [2]. They proved that the sample complexity is ©(log |A|/ log p) to identify 
the hidden subgroup by the PGM from the candidate set TYsdp - {{{a, I)) < AxZp : a € A}. Moore and Russell 
generalized their result to prove the optimality of the PGM for a wider class of HSPs ||3T1 . They actually gave 
the PGM for identifying coset states of hidden conjugates of a subgroup, i.e., hidden subgroups having form of 
g'^Hg for a fixed non-normal subgroup // of a finite group G and g € G. These results of CI EH showed that 
the PGM succeeds for a wide class of HSPs with at most 0(log 17^1) samples for the candidate set "K of hidden 
subgroups. For a more general case, Ettinger, H0yer and Knill gave a bounded-error quantum measurement 
that solves HSP over any finite group G with 0(log^ |G|) samples of coset states (Theorem 2 in 1 10|). They also 
constructed an error-free measurement for the general HSP with the same sample complexity 0(log^ \G\) within 
a constant factor in lITOl by combining the bounded-error one with the amplitude amplification technique Q. 

These quantum measurements ignore the time complexity issue in general. However, they may lead to 
efficient quantum algorithms for HSPs. Bacon et al. actually gave efficient implementation of the PGM for 
identifying given coset states on a class of the semidirect groups including the Heisenberg group [2J, i.e., they 



constructed an efficient quantum aigorittim for the HSPs from the corresponding PGMs. Hence, to give the 
quantum measurements for identification of given coset states iike PGMs may play important roles towards the 
construction of efficient quantum algorithms for HSPs. 

The negative results of the standard method has also been studied from an information-theoretic viewpoint, 
which are based on a decision version of the HSP defined as the problem of deciding whether the hidden 
subgroup is trivial or not. In particular, the difficulty of the HSP over the symmetric group 5,, has been shown 
by a number of results for this decision version lfT8l[T4llT7l[33l[32]| . Hallgren et al. recently proved that a joint 
measurement across multiple samples of coset states is essentially required to solve a decision version over 
the symmetric group, which is deeply related to the graph isomorphism problem. More precisely, they showed 
that joint quantum measurements across Q.{n log n) samples of coset states are necessary to decide whether the 
given samples are generated from the trivial subgroup {id} or a subgroup in TYsym = {H < S „ : H = (h), h^ = 
id, h{i) + i (i = 1, ...,«)), i.e., a set of all the subgroups generated by the involution composed of n/2 disjoint 
transpositions [17|. 

1.2 Our Contributions 

We study upper and lower bounds for the sample complexity of general HSPs from an information- theoretic 
viewpoint. We consider two problems associated with HSPs to deal with their sample complexity. The first one 
is the identification version for solving HSPs based on the standard method. 

Definition 1.3 (Coset State Identification (CSI)) Let "K be a set of candidate subgroups of a finite group G. 
We then define S^ a.s a. set of coset states corresponding to "K. Given a black box that generates an unknown 
coset state pn in 5-^, the Coset State Identification (CSI) for "K is the problem of identifying H e'H. 

One can easily see that any solution to HSP based on the standard method reduces this identification of coset 
states. We now define the sample complexity of CSI for "K as the sufficient and necessary number of samples 
for identifying the given coset state with a constant probability. 

The second one is the decision version, named the Triviality of Coset State. Special cases of this problem 
have been discussed for the Hmitations of the standard method in many previous results lITSl [T4l l27l [32l l33l [U 

El. 

Definition 1.4 (Triviality of Coset State (TCS)) Let TY be a set of candidate non-trivial subgroups of a finite 
group G, i.e., H i^ \id\ for every // e "K. We then define 5-^ as a set of coset states corresponding to "K. 
Given a black box that generates an unknown state cr that is either in 5-^ (i.e., a coset state for the non-trivial 
subgroup) or equal to //|G| (i.e., a coset state for the trivial subgroup), the Triviality of Coset State for 5.^ is 
the problem of deciding whether cr is in S.^ or equal to //|G|. We say that a quantum algorithm solves TCS 
with a constant advantage if it correctly decides whether a given state is in 5-^ or equal to //|G| with success 
probability at least 1/2 -i- 5 for some constant 5 € (0, 1/2]. 

Similarly to the case of CSI, we define the sample complexity of TCS for "K as the sufficient and necessary 
number of coset states to solve TCS with a constant advantage. 

Note that this problem might be efficiently solvable even if we cannot identify the hidden subgroup. Ac- 
tually, if we can give a solution to TCS for "Ksym = {H < Sn ■ H - (h), h^ = id, h{i) + i {i - 1, ...,«)), we 
can also solve the rigid graph isomorphism problem, i.e., the problem of finding an isomorphism between two 
graphs having no non-trivial automorphisms, and the decisional graph automorphism problem, i.e., the problem 
of deciding whether a given graph has non-trivial automorphisms or not ll29l . 

In this paper, we give bounds of the sample complexity of CSI and TCS by simple information-theoretic 
arguments. We present the following bounds of the sample complexity of CSI. 

Tlieorem 1.5 (Upper and Lower Bounds for CSI) Let "K be any set of candidate subgroups of a finite group. 
Then, the sample complexity of CSI for "H is at most Oi-, ■. nuu\ursun\ \ and at least O ( i — — — ^-rTTr ). 



Moreover, the upper bound of CSI can be attained by the PGM. This shows that we can identify a hidden 
subgroup for an arbitrary group G by the PGM with at most 0(log I'M]) samples, which is a wider class than 
those of the previous results ||2l[31]. It is noted that the essentially same upper bounqj for CSI follows from the 
result of Ettinger et al. fTO^. However, their measurement is not known to be a pretty good measurement. 
We also present the following bounds of the sample complexity of TCS. 

Theorem 1.6 (Upper and Lower Bounds for TCS) Let 'H be any set of candidate subgroups of a finite 
group. Then, the sample complexity of TCS for "K is at most O r °^ .jjX If \H\ is a prime for every 

H e "K, the sample complexity is at least Q. do max ' \h\ )- 

Summarizing these bounds, we obtain the following tight bounds for a class of CSI and TCS including 
several important instances such as "Ksdp and "Ksym- 

Corollary 1.7 Let 'H be any set of candidate subgroups of a finite group satisfying that \H\ = p for every 
H € "K, where p is a prime. Then, the sample complexity of CSI and TCS for "K is (-^ — ^ j. 

This theorem implies that the decision version is as hard as the corresponding identification version in view of 
the sample complexity for this class. 

We moreover apply our arguments to evaluation of information-theoretic security of the quantum encryp- 
tion schemes proposed by Kawachi et al. Il25ll26]| . They proposed two quantum encryption schemes: One is 
a single-bit encryption scheme, which has a computational security proof based on the worst-case hardness 
of the decisional graph automorphism problem, and the other is a multi-bit encryption scheme, which has no 
security proof. Since their schemes make use of quantum states quite similar to coset states over the symmetric 
group as the encryption keys and ciphertexts, our proof techniques are applicable to the security evaluation of 
their schemes. We prove that the success probability of any computationally unbounded adversary distinguish- 
ing between any two ciphertexts is at most ^ + 2~^^"^ in their log wi-bit encryption scheme with the security 
parameter n if the adversary has only o [ "„iolm ) encryption keys. 

2 Information-Theoretic Bounds 

In this section, we present the general bounds for CSI and TCS. We first introduce basic notions and useful 
lemmas for our proofs in Section 2.1. We then give the general upper bounds for CSI and TCS in Section 2.2. 
We also prove the general lower bounds for the sample complexity of CSI and TCS in Section 2.3. 

2.1 Basic Notions and Useful Lemmas 

Any quantum operations for extracting classical information from quantum states can be generally described 
by the positive operator- valued measure (POVM) 13511211. A POVM M = {M,);g5 associated with a set of 
outcomes 5 is a set of Hermitian matrices satisfying that M, > (i € S) and J^ies ^i - ^- Then the probability 
of obtaining outcome k € S by the POVM M from a quantum state p is given by tr( M^p). 

The trace norm of a matrix X € C'^^'^ is useful to estimate success probability of quantum state distinction 
for two states, and is defined as ||X||tr = max{Y,X) - tr "^X^X, where ||y|| is the Z2-norm of a matrix Y and 

{Y,X) = trY^X is the matrix inner product. It is well known that for any two quantum states po andpi the average 
success probability of the optimal POVM distinguishing between two quantum states is equal to ^ -i- |||po -pi ||tr, 
i.e., ^ maxM={Mo,Mi)(trMopo + trMipi) = j + |llpo - Pilltr- See [4] for more details on the matrix analysis and 
ll35l l2n on basics of the quantum information theory. 

We make use of the PGM in order to prove the general upper bound for CSI. The following lemma shown 
by Hayashi and Nagaoka ll22l is useful to estimate the error probability of the pretty good measurement. (See 
also Lemma 4.5 in (211.) 



'Strictly speaking, our bound is better than theirs up to a constant factor. 



Lemma 2.1 (Hayashi and Nagaoka Il22l ) For any Hermitian matrices S and T satisfying that / > 5 > and 
r > 0, it holds that / - ^/S + T'^S VS + T'^ < 2(7 - S) + AT, where VS + T'^ is the generahzed inverse 
matrix of V^ + T. 

In our several proofs, we need to calculate the rank of a coset state. The following lemma gives the estima- 
tion of the rank. 

Lemma 2.2 For any coset state for a subgroup H of a finite group G, it holds that rank(p//) - Ur. 

Proof. Let Itf/) be a purification of p// described as \if/) = —^ Y^geG I^)aI///(,?))b> where fn is the given function 
in the definition of HSP. Tracing out the register A, we have rank(tr^|(A)(tAl) - \G/H\. Since rank (tr/i|(A)((Al) = 
rank(trB|i/r>(i/r|), we obtain rank(p//) = [4. □ 

2.2 Lower Bounds 

We next prove the key theorem on lower bounds for CSI by a simple information-theoretic argument. This the- 
orem generally gives the necessary number of identical samples of an unknown coset state for the identification. 

Theorem 2.3 Let "K be any set of candidate subgroups of a finite group G. Then, the sample complexity of 

CSIfor-KisatleastQ(is^^S^)- 

Proof. Let M = {ME]He'H be any POVM associated with S^j-i using k samples of the coset state. By using 
the fact that \{X, Y)\ < ||X||||F||tr for any matrices X,Y e C'^'^'^, the probability of M obtaining correct outcome is 
upper bounded by 

' ' He'H ' ' He'H 

' ' He'H ' ' He'H ^ / I I fje-H 

^ ^ (max^,^IK|||G|)^ 



< — -maxllp^ll*^ y trM^ = -— max||pff||*^tr V Mh 



m\ 



Thus, the success probability of any quantum algorithm that solves CSI with k coset states is upper bounded by 
(maxHe'H\\PH\\\ Sincc the coset state pn = TQijn T,<>eG/H \gH)(gH\ for any subgroup H is a uniform summation 
of the matrices \gH){gH\ orthogonal to each other, we obtain \\ph\\ - l/rank(p//). It follows that \\ph\\ - |7/|/|G| 
by Lemma [T2I The success probability is thus at most "^^ , which implies that any quantum algorithm 
that solves CSI for TY requires Q. L^ ^^ — ~\h\) ^'^^^^ states in order to attain constant success probability, n 

As mentioned in Section 1, we do not have to identify a hidden subgroup to solve TCS. Thus, we cannot 
expect the same technique as the proof of the lower bound for CSI to work for that of TCS. We give another 
proof technique to obtain the lower bound for TCS. 

Theorem 2.4 Let "K be any set of candidate subgroups of a finite group G. The sample complexity of TCS 
for "K is at least Q do (max iffl) ) ^^ 1^' ^^ ^ prime for every // e "K. 

Proof. We first show that the success probability of solving TCS for "K is upper bounded by that of iden- 
tification for certain two quantum states. Let M = |Mo, Mi) be any POVM associated with {{id},9i}. The 
success probability of M is given by min{trMo(//|G|)®'^,minpyg5,^|trMip^'^)). Also, it holds by the linearity 
of the trace and the POVM that trMi (^ Zp^es^P^ ) ^ W\ ^ph^s.h ^^ipf > minp^g^,^ trMipf, Thus, the 
success probability is at most min{trMo(//|G|)®'^, j^ T^p^es^H ^^iPff^)- This is equal to the success probability 
of the identification for {I/\G\f'' and j^ I,p^es^„pf- 



the identification is at most 5 + |||X||tr by the property of the trace norm. Naively expanding X, we obtain by 



Note that we cannot apply the argument of Theorem l2.3l to the identification. Instead, we directly evaluate 
an upper bound of the trace norm of the matrix X = j^ YjpneS'H P^ ~ {II\G\f''^- Then the success probability of 

most 5 + |||X||tr by the prop( 
the triangle inequality 

PtTi Xi i?^ Xi Yu \gi,-,gk){gih]_,-,gkhk\-\gi,-,gk){g\,-,gk\ 



imitr 



YH\ ^-^ \Gf 



-— y 



(h[,...,hk)^(id,...Jd) 



\gi,-,gk){gihi,...,gkhk\ 



imci' 



2] \\\gl,:;gk)\\ 



gi,...,gteG 



He'H in....j,i.eH 

{h\,...,hk)^(id,...M) 



Uhi,...,gkhk\ 



\n\ 



2 \HnH'\' 



-m? 



\ m? 



2 i//i^ + Z 1^ ^ ^'^' 



KHel-l 



HtH' 



-1 



maxHe-H \H\'' 



m\ 



In the last inequality, we use the fact that \H C^H'\ - 1 for any distinct H and H' , which follows from the prime 
order of the subgroups. 

In order to have this trace norm larger than some positive constant, k must be Q(i — r^ — -nm\- Thus 

^( lo (mM — Im) samples are necessary for constant advantage. D 



2.3 Upper Bounds 

We present general upper bounds for CSI and TCS in this section. First, we prove the upper bound for CSI by 
using the PGM for S^. In this proof, we make use of Lemma ITT] to estimate the error probability of the PGM. 

Theorem 2.5 Let "K be any set of candidate subgroups of a finite group G. Then, the sample complexity of 
CSI for n-l is at most O {■. ■■ '°^''!fl|/i»r.»>h )- 

Proof. Let Pe be the projection onto the space spanned by supp(p//) for H e'H. We consider the pretty good 
measurement M ^ {I,-^'^PH'^~^'^}He'H for S<f^, where Z = Z//e'K^ff- Let yn.H' ^ \{{h,h') e H x H' : hh' = 
id}\ = \HnH'\ for H, H' € "K. We now prove that the error probabihty of M is at most 4 ^H'i^H n^r" if the 
given state is pn- 
Since we have 



trp^P//' - Tp^ 2 2 tr\g}{gh\\g'}{g'h'\ = -^^Y. Z ^\s}ighh'\ = -^Y. I. ^ = 



|G|2 ^U Zj 

' ' "-'eGheHMsH' 



IGP 



geG heHM'eH' 



IGP 



geG heHM'tiH' 

hh'=id 



7h,H' 
\G\ ' 



it follows that tr PhPh' = ^]W\^ ^ . Setting S - Pf and T = Y.h'^h P^' '^^ LemmalO if the given state 
is ph, the error probability of M is 



tr(/ - ir'I^Pfir'l^)pf < 2tr(7 - Pf)pf + 4tr ^ Pf, pf = A Y, {^PH'Puf = 4 J] 



H'i^H ) 



U'+H 



H'+H 



(jH,H'f 



We can easily obtain the upper bound of the error probability from the above estimation. Since we have 



4 max > ; — <4ti max 

//sW^„ \H'\k H*H'e9(\ \H\ j 



the error probability of M is at most 4|'K| maxH^H'e'H (n^T^) ' "^^^^ imphes that O ( ,^g rnmHj^,l!!(\H\/\HnH'\) ) 
samples of coset states are sufficient for constant success probability. n 

Next, we present the general upper bound for TCS as follows. This upper bound can be attained by a simple 
two-valued POVM. 

Theorem 2.6 Let "K be any set of candidate subgroups of a finite group G. Then the sample complexity of 

TCSfor-Kisatmosto(j^^ii^). 

Proof. We consider a projection T onto the space spanned by IJ/ze-w supp(p®''). It obviously holds that 
trTpf^ = 1 for every H efi. On the other hand, the error probability is given by trT{II\G\f''^. Then we have 
tvT{II\G\f'' = i2|p < ^HeHr^^(PH)\ 3ij^^g rank(pff) = \G\/\H\ by Lemma O we obtain ^'^^'h ^^^(P^f ^ 

' li^ii- < —^ — '-TTTTT- This implies that at most 0(-, — ^ — ^-rTTr) samples of coset states are sufficient for 

constant advantage. n 



3 Security Evaluation of Quantum Encryption Schemes 

Our arguments are applicable not only to bounds for HSP but also to security evaluation of quantum crypto- 
graphic schemes. In this section, we apply our arguments to evaluation of the information-theoretic security 
of the quantum encryption schemes proposed in |25, 26 1. As mentioned in Section 1, they proposed single-bit 
and multi-bit quantum encryption schemes. While they gave the complexity-theoretic security to the single-bit 
scheme under the assumption of the worst-case hardness of the decisional graph automorphism problem, the 
multi-bit one has no security proof. Also, they have already proven in ll26l that any computationally unbounded 
quantum algorithm cannot solve a certain quantum state distinction problem that underlies the single-bit scheme 
with few samples by reducing the solvability of their distinction problem to the result of [ 17 1. On the other hand, 
the security of their encryption schemes, as well as the underlying problem for their multi-bit scheme, are not 
evaluated yet from a viewpoint of the quantum information theory. 

Their schemes make use of certain quantum states for their encryption keys and ciphertexts. We now 
call these quantum states encryption-key states and cipherstates, respectively. Since their multi-bit encryption 
scheme contains the single-bit one as a special case if we ignore its efficiency and complexity-theoretic security, 
we only discuss their multi-bit scheme in this paper. 

We now describe their multi-bit encryption scheme in detail. Assume that the message length parameter m 
divides the security parameter n, where m e |2, ..., n}. Let 7C^" = {h : h = (ai ■ ■ ■ am) ■ ■ ■ (a„_m+i • • • a„), a,- e 
{1, ...,«), ai + aj {i i^ j)] c Sn, i.e., a set of the permutations composed of nim disjoint cyclic permutations, 
which is used for the decryption key. In this scheme, we exploit the following quantum state for a message s: 
pf = ^. llges,. (i:r=() <^m\8h')) (1:TJo <^m'(8h'\) , where w„ - e^''"'" and h e %:;\ Note that pf is the coset 
state for the hidden subgroup {id, h,..., /j"'"^}. 

We now refer to as (n, m)-QES their multi-bit encryption scheme with the security parameter n and the 
message length parameter m. The protocol of {n, m)-QES is summarized as follows. 

Protocol: (?i,m)-QES 

( 1 ) The receiver Bob chooses his decryption key h uniformly at random from TC"^ and generates the encryption- 

key states o-h = (pf\ ...,pj^"'"'^). 

(2) The sender Alice requests the encryption-key state o"/, to Bob. She picks p^' up from o"/, as the cipherstate 

corresponding to her classical message s € {0,...,m- 1} and then sends it to him. 



(3) Bob decrypts her cipherstate pj* with his decryption key h. 

We assume the same adversary model except for Eve's computational power as the original ones in 
Note that the eavesdropper Eve can also request the same encryption-key states to Bob as one of senders. Eve in 
advance requests the encryption-key states to Bob. When Alice sends to Bob her cipherstate that Eve wants to 
eavesdrop, Eve picks up Alice's cipherstate and then tries to extract Alice's message from the cipherstate with 
the encryption-key states by computationally unbounded quantum computer, i.e.. Eve can apply an arbitrary 
POVM over the cipherstates and encryption-key states to extract Alice's message. 

We consider a stronger security notion such that Eve cannot distinguish between even two candidates, i.e., 
she cannot find a non-negligible gap between trMi (pj^' ® cr^*^) and trMi (p^^ ® cr^*^) even by the optimal POVM 
M = |Mo,Mi) when Bob chooses h uniformly at random. This notion naturally extends the computational 
indistinguishability of encryptions, which is the standard security notion in the modem cryptography 1131 . to 
the information-theoretic one. 

Since the gap is at most ^ll]^ 'Lhe'K;;' Ph ® ^"T ~ Pil ® ^^^^Utr' ^^^^ notion can be formalized by the trace 
norm between them. Then, we say that the cipherstates are information-theoretically indistinguishable within 
k encryption-key states if ||i^ Y.he'K'- pf ® erf - p^p ® crfW^, = I'^^^K 

For this security notion, we can obtain the following theorem by our information-theoretic arguments. The 
proof is almost straightforward by Theorem l2.4l 

Theorem 3.1 The cipherstates of («, m)-QES are information-theoretically indistinguishable within oi '^^°^" \ 
encryption-key states. 



i^^ T,he%;;' P/j ® (^f^ ~ {Iln\)^'"^*^ . Then the trace norm between two state sequences 
given in the definition of the information-theoretic indistinguishability is at most Is+ls' by the triangle inequality. 
Since the trace norm is invariant under unitary transformations, we can show that l^ + h' = 2/o by taking 
appropriate unitary operators. Then we can prove that Iq < ^jrn^^^^ IYK"^\ by the argument of Theorem | 



Proof. Let /, 



Since we have |7(^"'| « "' ,7'„/„, — by the standard counting method and the Stirling approximation, the trace norm 
isatmost2-"Wif;t-4^^)- □ 

V m log m I 

For example, when we set m = n^ for any constant < e < 1 , we obtain the e log n-hii encryption scheme 
whose cipherstates are information-theoretically indistinguishable within o{n^^^) encryption-key states. 

4 Concluding Remarks 

In this paper, we have shown general bounds for CSI and TCS, and an application to the security evaluation of 
the quantum encryption schemes. We believe such an information- theoretic approach will help constructions 
of efficient quantum algorithms for non-Abelian HSPs as in the case of \2\. After our preliminary version 
of this paper, Harrow and Winter followed our approach to prove the existence of a quantum measurement 
for identifying general quantum states and lower bounds of samples for the identification lfT9l . Their results 
generalize and improve our bounds for CSI. 
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